.

DNS Changer and Flashback: Two Lessons in Modern Malware

DNS Changer and Flashback show just how computer viruses have changed. You may have one and not know it.

It used to be computer viruses were simple. Your PC (never a Mac) became infected and, depending on the virus, your computer would die, would run slowly, or possibly open up gazillions of web pages every time you started your web browser. You knew when your computer was infected.

Now things are not so clear. Macs are no longer immune. Malware like Trojans or worms sneak in to a PC or Mac just by visiting a web page. Hundreds of thousands of infected computers, called botnets, are commanded to attack a web site in unison. Usernames and passwords are stolen. DNS is hijacked, so that what should be a perfectly safe web address a user types in is redirected to a sketchy web neighborhood.

Two recent malware news stories making the rounds serve to illustrate and inform about this state of affairs: DNS Changer and Flashback.

DNS Changer

The first might be a good news story, except that because of an earlier infection hundreds of thousands of PC and Mac users could be in for a brutal surprise come July 9, when their Internet connections will stop functioning correctly because the FBI seemingly turned them off.

That's right, the FBI, which is in the business of running Domain Name Service computer servers – but does not want to be. In November, a ring of six Estonian hackers known as Rove Digital was busted for infecting more than a half million computers worldwide with malware that surreptitiously redirected them to websites they ran, which had advertising that paid them for each ad impression.

DNS servers are the post office of the Internet. They take an address that users type in to their browsers or use to send an email and change it behind the scenes to a numerical address that computers can understand. So, for instance, the numerical address for Patch.com, known as an IP address, is 205.188.95.51. Typing that number into a browser will take a user to the same page as typing Patch.com.

The DNS Changer malware redirected users' computers to a network of DNS servers run by the hackers. Popular addresses, say, Google.com, would then be redirected to an IP address for the hackers' sites instead of the intended site. The FBI says the ring made at least $14 million on ad impressions this way.

When authorities took down the ring, the FBI faced a quandary. Removing the rogue DNS servers from service would mean that a half-million PCs would suddenly seem unable to access the Internet at all. In reality, the IP addresses would work, but who would know or want to type 205.188.95.51 instead of Patch.com?

"If we just pulled the plug on their criminal infrastructure and threw everybody in jail, the victims of this were going to be without Internet service," Tom Grasso, an FBI supervisory special agent, said in a statement. "The average user would open up Internet Explorer and get 'page not found' and think the Internet is broken."

So the FBI hired an Internet service provider to replace the rogue DNS servers with good ones. The agency plans to pull the plug on those servers July 9, so it's warning PC users to check their PCs. The good news is that it's as simple as visiting the DNS Changer Working Group website, dcwg.org, to find out whether a PC is infected and to remove DNS Changer if it is.

Flashback

Flashback exploits a hole in Java to install itself on Macs that visit compromised web pages. It is believed to have originated on Wordpress blogs, disguising itself as an automatic update for Adobe Flash. Just visiting a compromised blog page with a Mac was enough to become infected with this type of malware, which is known as a Trojan.

The original intent appeared to be to steal usernames and passwords, which then were sent on to bad-guy servers. Now the intent is not as clear. What is known is that an infected Mac will attempt to contact one of these servers daily, at a constantly changing URL, to receive instructions on what to do next.

Often these botnets are used in attacks on websites, by flooding a targeted site with tens of thousands of simultaneous and incessant requests for pages. The attack, known as a Distributed Denial of Service attack, or DDoS, typically overwhelms the site and makes it inaccessible.

The big surprise has been that Flashback has infected so many Macs, as many as 640,000 by one estimate, and that it occurred so easily on a platform that many had considered free of such trouble.

Flashback exploits a hole in Java. In fact the Trojan was first discovered last fall, and Oracle issued an update for Java that blocked it on Windows PCs. But Apple does not allow third parties to directly update Macs, and didn't distribute the patch itself until earlier this month when the extent of the infection on Macs began to be reported.

Apple's patch also removes the malware, and the extent of the infection had been thought to be decreasing. But security researchers last week detected a variant of Flashback that Apple's patch will not remove, and some believe the infection again is spreading.

What's clear in both Flashback and DNS Changer is the importance of keeping a computer, whether a PC or a Mac, up-to-date and protected with anti-virus software. It's also important to keep your data backed up in case something should go wrong.

Follow us on Twitter | Like us on Facebook | Sign up for our daily newsletter

Boards

More »
Got a question? Something on your mind? Talk to your community, directly.
Note Article
Just a short thought to get the word out quickly about anything in your neighborhood.
Share something with your neighbors.What's on your mind?What's on your mind?Make an announcement, speak your mind, or sell somethingPost something
See more »